The attached script is not directly Joomla! related, after seeing quite an upsurge in attempted and unfortuntely, successful exploits in the forums in recent weeks, we decided to release a script that we have to try and at least "limit" the damage caused if we have missed something...

Information/Overview:
A reasonably effective script to search for particular known strings within .php and .cgi files that MAY present exploit capabilities.

The simple logic is by no means "fool proof" or "exhaustive" but gives a reasonably good indication that the target script maybe part of an exploit set. False positives are extremely possible due to the fact that many valid scripts make use of the same logic/technologies to acheive required activities, therefore some "human intelligence" must be applied to the final reports.

Installation:

1) FTP sploitFinder.sh.txt to your server
2) Rename to either sploitFinder.sh or just sploitFinder
3) chmod 755 sploitFinder
4) READ the comments andinstructions in the file
5) run it to test with all the different switches, setup crons etc etc

This is the search pattern criteria. Listed are some of the signitures of some exploits we have heard of, these ARE NOT exhaustive. Obviously, the more variables there are, the longer each run will take.

As ever, This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY or support; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You do not have the required permissions to view the files attached to this post.

The script has been designed to search through all .php and .cgi files in the designated searchpath (Default: /home) looking for the strings in $sploitpattern. If run without the -a or -r switch it will only report new files with matches since the last scan. So we beleive that answers point 1)

If the file has been modified; if the file was not captured on a previous scan it will be reported this scan, but at the moment the script does not capture subsequent changes to a file that has already been reported once for other string matches (If it was already reported once, it should have been reveiwed already), if you reset/rebuild (-r switch) occasionally, that will ensure that files that have been subsequently modified, after already being reported will be re-reported. Does this answer 2) ?

We will look in to your suggestion of an exclusion list for filenames not to scan, in an attempt to eliminate false positives. Don't hold your breath though, busy as ever. We will post in here again if/when it is implemented.

sorry for the stupid question, but how do we actually run this? I've followed the instructions and uploaded etc however it just says 'run the script' - I've tried opening in a browser, but that just opens a file download selector...

Yes, from time to time the patterns will be updated, but there is nothing to stop you from updating or adding to the patterns yourself if you see something occurring on your own servers or in any security forums you may follow.

As for your mail problem, you are getting permission denied to the mail problem, either the user you are running the script as, does not have access to the mail binary or maybe security on your host disables the command line use of the binary.

in the *.txt file are a bunch of ^M from an MS-DOS like editor (gee thanks bill for this crap)
in a windows editor you dont even see this, but in vi or whatever u ve got a bunch of this line breaks (?) ..

it may happen that some systems run into trouble because of the ^M , check this and delete this and iam sure it will run...

It is insane. I am currently using Hostgator as my hosting company. I upload this script into my account, and in the process of using emacs to editing the script. I haven't even run it once. I suddenly got an email saying that my account is suspended because of this script. I asked them to lift the suspension but they ask me to wait for response.

Talk to your host? they are most likely evaluating the script as to its use and purpose, seeing as it popped their own security.

This is actually goodness, your host is pro-actively attempting to protect you (and themselves) against potential exploits... Congratulations to your host for their approach and attitude to security. However, this may mean that you cannot make use of the posted script on your account.

This script probably got detected by a script of theirs looking for common or known exploits. This script contains some "keywords" of common and known exploits, so is their script. The result being, that their script considers this script to be a possible exploit script itself (a false positive) because our search keywords match their search keywords and suspended the account to avoid abuse of your account.